net.wars: Six degrees of virus infection

by Wendy M Grossman | posted on 29 August 2003

The guy from Microsoft agreed about the dangers of software monoculture, but was truly puzzled when I said, "Most viruses these days spread via the Outlook address book."

Wendy M Grossman

"They can't," he said. "We put out a patch for that years ago." In 2000, to be precise.

I appealed to the others of my brethren at the press conference to back me up. "People don't know about it," said Simon.

No, they don't, and even if you want to take the view, as PC Pro columnist Jon Honeyball does, that any business that got hit by the Sobig.F worm should fire its IT director for incompetence, it's not fair to condemn consumers.

What I wanted to write is a clever little piece about the epidemiology of computer viruses, but it turned out to be too complicated. With the biological equivalent, you can make valid predictions about whether you're at risk: you travelled on a plane with someone infected with SARS, or a kid at your kid's school has chicken pox and may have infected your kid and, since you never had it, you.

But I'm in all sorts address books, as evidenced by the number of "Hi - here's my new email address" messages I get from people I've never heard of. Unlike the physical world, I'm closer, in viral terms, to people I barely know. The addresses of my closest friends, with whom I correspond frequently, usually aren't in my (non-Outlook) address book, because I know them by heart. Sobig extracted email addresses from Web caches on people's hard drives and all sorts of other obscure locations. None of the hundreds of copies I got came from anyone I know.

The rise of such techniques means that any sort of epidemiology is nearly meaningless. For the future, it's probably much more important to assume that everyone is at risk and ask what we are going to do about a situation that is escalating so far out of control. It's morbidly funny: people used to talk about convergence as this great thing coming towards us, and they meant broadcasting, computers, and telecommunications. In fact the convergence we're getting is spam and viruses. The problem is that all the choices on offer to combat this marriage are bad.

Anti-virus software and patches to fix holes are by their nature reactive. They place an immense burden on the end user not only to install the software but to constantly update it all. Suppose you had to constantly scan building trade Web sites to check up on all the pieces that make up your house. This hour, a new vulnerability in the pointing used to secure brickwork. Next hour, important information about the angling of drain pipes. And even if beleaguered computer owners do all this, a fast-spreading worm will get to them before the update does. Patching, a number of folks are beginning to agree, is broken.

Cue Microsoft, "We'll make updates automatic." Even worse. Such a system - which is what software companies want in order to turn their products into subscription services anyway - means the owner/user relinquishes all control over the computer. Lots of us have little rules about when and how to apply updates. "Never buy version 1.0 of anything." "Never install a new operating system until the first service pack has been released." "Never install the service pack until others have reported back what the problems are." And so on.

Like a lot of technological fixes, it sounds wonderful: a trouble-free existence in which your computer is always well-behaved, always up-to-date, and always secure. It was a fantasy in 1981, and it's a fantasy now. But I bet the whole scheme will die when the company's lawyers get hold of it. If Microsoft applies automatic updates and breaks my system, can't I sue them? Especially if their software hasn't backed up my hard drive first? If they're going to make something mandatory, backups should be first in line.

The idea I like best is behaviour blocking, which of course is not a remotely new idea (even in the days when viruses were spread on floppy disks there were programs that would spot and stop virus-like behaviour."

The computer-illiterates of this world could even use that if instead of asking impenetrable queries like "Allow Outlook to access the Internet?" the software asked, "Outlook is trying to send 1,458 copies of the same email message. Do you really want to do this? Click here to see the message. Click here to see the list of recipients." Even the technically inept could understand that.

There is no doubt the threats are escalating and broadband, with all its benefits, is a large part of why. Give millions of ignorant users a fat pipe and a computer they don't understand, all using roughly the same software, and you have a situation ripe for exploitation by the malicious, unscrupulous, and stupid. At least short-term, it seems to me that the key people to help fix this situation are the ISPs, who are the chokepoints through which all this garbage must pass.

You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).